Rediff.com« Back to articlePrint this article

SOX 404: Making compliance easier

December 31, 2007 14:09 IST

On May 23, the US Securities Exchange Commission approved the final Interpretive Guidance for Management on the implementation of Section 404 of the Sarbanes Oxley Act (SOX 404) and on May 24, 2007 it adopted the Accounting Standard 5 (AS5) of the Public Company Accounting Oversight Board which replaces the existing Accounting Standard 2 governing SOX 404 compliance.

As the AS5 stands adopted by SEC, it is effective for audits of entities with financial years ending on or after November 15, with earlier adoption encouraged.

Companies in the past have ended up spending large amounts of energy on SOX 404 implementation. The new guidance is aimed at ensuring that companies are able to scale and tailor their evaluation procedures to fit their facts and circumstances.

The main intention of the revised guidance is to ensure that the benefits of SOX 404 compliance outweigh the cost (both in terms of time and money) of implemetation, such that both investors and management can reap the benefits of SOX 404 compliance.

We elaborate on some of the most significant changes in this revised regulation below.

The new guidelines have allowed more elbow room for the management's evaluation.

In the past, separate guidance for management's evaluation of internal controls did not exist and companies therefore followed PCAOB's AS2 (actually meant for the auditors) as a proxy.

The new SEC guidelines for management's evaluation are far more principle-based (as opposed to the more prescriptive guidelines contained in AS2) and also allow more flexibility to management in tailoring their evaluation to particular circumstances.

The SEC guidance is organised around two overriding, related principles. The first is that management should evaluate the design of the controls to determine whether they adequately address the risk that a material misstatement in the financial statements would go undetected.

This approach focuses attention on those controls necessary to prevent and detect material misstatements in the financial statements. The guidance clearly states that there is no requirement to identify every control in a process or to document the operating activities affecting internal control over financial reporting.

The second overriding principle is that management's evaluation of the operation of its controls should be based on its assessment of the risk associated with those controls. The guidance provides an approach to obtain evidence to support the effective operation of the controls consistent with an assessment of risk associated with those controls.

This approach allows management to align the nature and extent of its procedures and the evidence it obtains with the financial-reporting areas that pose the greatest risk to reliable financial reporting.

Management may therefore be able to use more efficient procedures in obtaining evidence, such as performing self-assessments in low-risk areas and performing more extensive testing in high-risk areas or even using the results of related activities (eg a SAS 70 review) to build the necessary evidence.

Another aspect of the new guidelines is the removal of the requirement for the auditors to opine on management's evaluation process. Previously, the auditors were required to not only provide their opinion on the effectiveness of a company's internal controls over financial reporting, they were also required to opine on whether the management's own process for its evaluation of internal controls was acceptable.

According to the revised regulations, the auditors' report would express only one opinion on internal control; an opinion on the effectiveness of the company's internal control over financial reporting. Auditors would express no opinion on whether management's assessment was fairly stated.

The removal of the requirement to opine on management's evaluation process, coupled with the issuance of separate guidelines for management by the SEC (which do not mandate the use of the COSO framework) have led to not only more flexibility for managements, but also a significant reduction in the efforts involved by the auditors, thus bringing down the overall cost.

The new guidelines, have changed the definition of Significant Deficiency and Material Weakness. The revised definition for Material Weakness states that "A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis."

Significant Deficiency has been defined as "A deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting."

These revised definitions of impact and occurrence replace previous definitions which were far more stringent ("more than inconsequential" impact and "less than remote" likelihood) thus allowing management to avoid overly detailed levels of documentation and evaluation and retaining the focus on key controls alone.

The revised guidelines take a top-down, risk-based approach to internal control identification. The new guidelines also explicitly state that the company should identify significant accounts and relevant assertions, and the controls that address the risks of material misstatement relating to each relevant assertion.

In particular, the guidance states that management should begin with the financial statement elements, not processes, controls or locations. This is in contrast to the more process-based, control-focused approach use earlier which led to the documentation and evaluation of a much larger number of controls than were found necessary as the evaluation progressed.

The new guidance also stresses on the importance of entity level controls ('ELC') as being key elements of a company's internal control environment and hence the controls most likely to ensure that material errors or misstatements in financial reporting are prevented or detected.

The guidance allows companies to leverage ELC by addressing the risk related to the relevant assertion, or provide some assurance so that the testing of other controls related to that assertion can be reduced.

A direct ELC also reduces the level of evidence needed from process/ transaction level controls and monitoring ELCs can be leveraged to reduce testing in low risk areas.

Overall, the new approach allows a company to concentrate and invest its time and resources around the issues that are likely to pose a greatest risk to financial reporting and reduce the number of controls which have to be actually tested in performing its evaluation, thus reducing effort and cost.

In the past, organisations viewed SOX 404 as a huge compliance cost. The SEC and PCAOB, through the revised guidance, want to change this perspective. The objective is to highlight the significant benefits of enhanced focus on corporate governance and controls and higher quality of financial reporting, ensuring that the benefits outweigh the cost to achieve the objective.

It is hoped that this will also lead to the US once again becoming a favoured destination for companies seeking international listings.

The writers are from Ernst & Young.

Manesh Patel & Pratik Shah
Source: source image